Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Companies and organizations operate computer networks that interconnect a number of computing devices to support operations or provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or data processing centers, herein generally referred to as “data centers,” may include a computing system or multiple interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public.
Data centers may provide a number of network-accessible services, such as data storage services, data processing services, content delivery services, or any of a number of other services known in the art. In some instances, multiple services may be provided by a single entity (e.g., a single corporation). In other instances, different entities may provide services by use of a data center operated by another entity. For example, one entity may over computing resources on an on-demand basis to third parties, such that the third parties can utilize the resources to provide services via a communication network. The entity that makes a service available on a communication network can generally be referred to as a “service provider.” For example, a service provider may be a corporation that makes a specific service, such as a web site, available on a network. A service provider may enable a variety of users to configure different instances of a service, such as different web sites on a web site hosting service or different data stores on a data storage service. Each configuration of a service (e.g., associated with a specific account) can be referred to as a “service instance.” Each service instance may correspond to a user or entity which configured the service instance, which user can generally be referred to as a “service user.” Each service instance can provide access to a respective service, as configured by the service user, to one or more clients. Clients may include, for example, the service user, other service instances (of the same service or different services), or other users (such as members of the general public).
Security and data privacy are often an important concern for network-accessible services. Various security mechanisms can be utilized to protect the integrity of services, such as firewalls or intrusion detection systems. One widely used mechanism is an access control policy. Such a policy can specify, for example, clients that are allowed access to a service instance, and the actions that the clients are allowed to perform (e.g., which data can be read from, written to, deleted, etc.). Access control polices can be drafted in a number of different formats, and can vary across services.